Update files for VDMS v2.12.0

[cwlacewe]

Update app to use VDMS v2.12.0:

Dockerfiles

• frontend: remove pinned protobuf and move vdms to requirements.txt
• vdms: update base image and hash

Merge changes to VideoCommand.cc and api_schema.json from updated vdms

[cwlacewe]

Pinned-Dependencies

Hash

To resolve the "Scorecard pip Command not pinned by hash" error, you must pin all Python dependencies in your requirements.txt file to specific versions and include their corresponding hashes.
This practice ensures build integrity and prevents supply chain attacks by only allowing verified package files to be installed.

1. Generate a requirements file with hashes:

   • Create a requirements.in file listing your project's direct dependencies with general version specifiers (e.g., requests).

   • Use a tool like pip-compile from the pip-tools package with the --generate-hashes option to create a fully pinned requirements.txt file that includes SHA256 hashes for each dependency.

     pip install pip-tools
     cp requirements.txt requirements.in
     pip-compile -o requirements.txt --generate-hashes requirements.in

     This command generates a requirements.txt file with entries like:

     requests==2.25.1 \
         --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
         --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
     

2. Use the generated requirements file for installation:

   • In your build process (e.g., in a Dockerfile or a GitHub Actions workflow), use the generated requirements.txt file with pip install. The hashes will be automatically checked during installation.

     pip install -r requirements.txt

3. Ensure all commands are pinned:

   • Review all pip install commands in your project's configuration files (e.g., Dockerfile, Makefile, CI/CD workflow files).
   • If you have a command like RUN pip install --upgrade pip in a Dockerfile, you may need to use a workaround such as installing without dependencies (--no-deps) or upgrade pip as part of a multi-stage build process to avoid this specific flag from Scorecard.
   • For other dependencies, ensure they are managed through your hashed requirements.txt file.

This process ensures that your build environment only uses packages that match the specific, verified file hashes, thereby improving the supply chain security of your project as recommended by the OpenSSF Scorecard.